[Freeipa-users] Force IPA to accept password?

Thu Sep 26 15:35:23 UTC 2013

As far as I can tell, password policy is enforced on the client side, not
the directory side.

I set up a self-service password reset utility which enforces its own rules
and bypasses the IPA password policies.

I used this one:

http://ltb-project.org <http://ltb-project.org/wiki/>

I created a user that had the ability to create passwords, but IIRC there
was some setting I had to change so that the passwords created didn't
require a change.

I'm pretty sure someone in this list told me how, so I'll search and see if
I can find it.

--Jason

On Thu, Sep 26, 2013 at 8:58 AM, Innes, Duncan <Duncan.Innes at virginmoney.com
> wrote:

> Sorry,
>
> > -----Original Message-----
> > From: Martin Kosek [mailto:mkosek at redhat.com]
> > Sent: 26 September 2013 14:29
> > To: Innes, Duncan
> > Cc: freeipa-users at redhat.com
> > Subject: Re: [Freeipa-users] Force IPA to accept password?
> >
> > On 09/26/2013 01:05 PM, Innes, Duncan wrote:
> > > Hi,
> > >
> > > Can I force IPA to accept a new password that I have chosen?
> >
> > What password do you have in mind? A password of an IPA user?
> >
>
> Yes - for my authentication when SSHing onto a Linux box.
>
> > >
> > > Today I've had to change my password in 2x AD domains and
> > > other places according to policy.  I've done this.
> > >
> > > But coming to IPA, I find that I've chosen a "BAD
> > > PASSWORD".  Without getting into the merits of the AD password
> > > policy and the security of the password I've chosen, can I
> > > force IPA to accept my new password at all?
> >
> > Well, without getting into security of the approach, you
> > could change the global password policy or group password
> > policy so that the new password is
> > accepted:
> >
> > $ ipa pwpolicy-mod --minlength=5
> >
> > or
> >
> > $ ipa pwpolicy-add usergroup --minlength=5
> >
> > ... to "fix" whatever failing password policy attribute.
> >
>
> The error comes from a dictionary check I think.  AD does as well as far
> as I know, but would appear to have a smaller dictionary or looser
> rules.
>
> Kind of what I expected/feared though.  I don't want to change the IPA
> policy at all, just override it's objection.  For now, I went the long
> route and changed my IPA password first, then changed the other
> passwords
> To match what IPA was happy with.
>
> > HTH,
> > Martin
> >
>
> Cheers & thanks for your help
>
> Duncan
>
> This message has been checked for viruses and spam by the Virgin Money
> email scanning system powered by Messagelabs.
>
>
>
> This e-mail is intended to be confidential to the recipient. If you
> receive a copy in error, please inform the sender and then delete this
> message.
>
> Virgin Money plc - Registered in England and Wales (Company no. 6952311).
> Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL.
> Virgin Money plc is authorised by the Prudential Regulation Authority and
> regulated by the Financial Conduct Authority and the Prudential Regulation
> Authority.
>
> The following companies also trade as Virgin Money. They are both
> authorised and regulated by the Financial Conduct Authority, are registered
> in England and Wales and have their registered office at Discovery House,
> Whiting Road, Norwich NR4 6EJ: Virgin Money Personal Financial Service
> Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited
> (Company no. 3000482).
>
> For further details of Virgin Money group companies please visit our
> website at virginmoney.com
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130926/7c1c10b6/attachment.htm>